vimdev : Message: Re: feedkeys() allowed in sandbox

Andrew Maykov wrote:

> On 4/28/07, Bram Moolenaar <Bram@...> wrote:
> >It's better to make sure the sandbox works as it should.
> Yet another function to disable in sandbox:
> vi: fdm=expr fde=writefile([""],"phantom_was_here")

Yep, you found another one. Seems some of the new functions added in
Vim 7 were not properly checked for sandbox use. I think system()
should also not write the "input" argument to a file. It's quite
harmless, since you can't control the file name, but the shell command
is going to fail anyway. None of the others appear to be harmful.

> Proposal. Maybe it's sane to put security checks not just in
> functions like f_writefile(), but also put it to the core of fileio,
> e.g. if mch_fopen macro will check permissions before actual openning
> file, then f_writefile() and freinds if any will fail to harm user.
>
> i.e. replace something like this:
> =CUT============================
> --- macros.h.orig 2007-04-29 00:57:16.000000000 +0700
> +++ macros.h 2007-04-29 00:58:38.000000000 +0700
> @@ -149,7 +149,7 @@
> #ifdef VMS
> # define mch_access(n, p) access(vms_fixfilename(n), (p))
> /* see mch_open() comment */
> -# define mch_fopen(n, p) fopen(vms_fixfilename(n), (p))
> +# define mch_fopen_impl(n, p) fopen(vms_fixfilename(n), (p))
> # define mch_fstat(n, p) fstat(vms_fixfilename(n), (p))
> /* VMS does not have lstat() */
> # define mch_stat(n, p) stat(vms_fixfilename(n), (p))
> @@ -158,7 +158,7 @@
> # define mch_access(n, p) access((n), (p))
> # endif
> # if !(defined(FEAT_MBYTE) && defined(WIN3264))
> -# define mch_fopen(n, p) fopen((n), (p))
> +# define mch_fopen_impl(n, p) fopen((n), (p))
> # endif
> # define mch_fstat(n, p) fstat((n), (p))
> # ifdef MSWIN /* has it's own mch_stat() function */
> @@ -174,6 +174,9 @@
> # endif
> #endif
>
> +
> +#define mch_fopen(n, p) ( check_secure() ? NULL : mch_fopen_impl(n,p)
)
> +
> #ifdef HAVE_LSTAT
> # define mch_lstat(n, p) lstat((n), (p))
> #else
> =/CUT===========================

I don't like this solution. Opening some files would be OK in the
sandbox, e.g., for reading. readfile() would be OK in the sandbox,
right?

--
How To Keep A Healthy Level Of Insanity:
15. Five days in advance, tell your friends you can't attend their
party because you're not in the mood.

/// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

Expand Messages

Author

Sort by Date

Greetings mortals, today somebody came to #vim, and pasted some modeline (containig joke or such). He muttered something about not knowing what that means and...

Tomas Golembiovsky
nyoxi@...

Apr 26, 2007
10:19 pm

... IIUC, feedkeys() called from sandbox should execute as if in sandbox, i.e., only (at most) key sequences acceptable in sandbox should be able to be "fed". ...

A.J.Mechelynck
antoine.mechelynck@...

Apr 27, 2007
7:52 am

... That was the idea: The "sandbox" flag is checked when the keys are executed. However, the sandbox flag may have been reset by then, as the example shows....

Bram Moolenaar
Bram@...

Apr 27, 2007
9:55 pm

... That's pretty nasty. I'll make a patch right away. -- Far back in the mists of ancient time, in the great and glorious days of the former Galactic Empire,...

Bram Moolenaar
Bram@...

Apr 27, 2007
10:53 pm

... Thanks. However, perhaps the modeline concept needs more safety - defence in depth. Perhaps modelines should only allow a VERY limited set of operations by...

John Beckett
winterwaffle@...

Apr 28, 2007
11:21 am

... Sure, simply use ":set nomodeline". Even setting 'textwidth' to 2 may already be considered harmful, or at least annoying. ... Modelines are already...

Bram Moolenaar
Bram@...

Apr 28, 2007
11:44 am

... Yet another function to disable in sandbox: vi: fdm=expr fde=writefile([""],"phantom_was_here") Proposal. Maybe it's sane to put security checks not just...

Andrew Maykov
maykeye@...

Apr 28, 2007
6:34 pm

... Yep, you found another one. Seems some of the new functions added in Vim 7 were not properly checked for sandbox use. I think system() should also not...

Bram Moolenaar
Bram@...

Apr 28, 2007
8:15 pm

On Sat, 28 Apr 2007 21:52:07 +0200 ... Probably not. In a multi-user environment it can be used as a privilege escalation by inserting the contents of a...

Ciaran McCreesh
ciaranm@...

Apr 29, 2007
2:46 pm

... In the sandbox you can't insert text into a file or buffer. Anything that requires saving text for undo is blocked. You can also get the text from an...

Bram Moolenaar
Bram@...

Apr 29, 2007
4:02 pm

John Beckett wrote: [...] ... Folding may be useful in a modeline. (Don't know what you call a "default" modeline.) Depending on how the particular file is...

A.J.Mechelynck
antoine.mechelynck@...

Apr 30, 2007
8:06 am

... Thanks for raising that issue. I found the April 1 "joke" with Google. I actually noticed that posting (seeing "Vim" while browsing a security list caught...

John Beckett
winterwaffle@...

Apr 28, 2007
11:26 am

... I'm suggesting "defence in depth". My vimrc might have ':set nomodeline', but what if I make a mistake? What if I'm using some other machine where I'm not...

John Beckett
winterwaffle@...

Apr 28, 2007
12:54 pm

On Sat, 28 Apr 2007 22:43:23 +1000, "John Beckett" ... I don't like the idea of preventing modelines over 100 bytes. To start with, there's no real logic...

Matthew Winn
vim@...

Apr 29, 2007
8:13 am

... I imagine (haven't looked) that a modeline has no hard limit to its length. So multi-megabyte modelines are probably handled by Vim. That's potentially...

John Beckett
winterwaffle@...

Apr 29, 2007
9:15 am

On Sun, 29 Apr 2007 19:10:55 +1000, "John Beckett" ... It doesn't matter how many bytes are accepted. Security that depends on the assumption that an exploit...

Matthew Winn
vim@...

Apr 30, 2007
1:16 pm

... By "default modeline" I mean I would like Vim to be changed so that its default behaviour is aggressively safe. If wanted, there could be a new option to...

John Beckett
winterwaffle@...

Apr 30, 2007
2:42 pm

... This is not true. It just reduces the chance of a mistake being made by an unknown factor. It's still possible to allow an option to be set, thinking...

Bram Moolenaar
Bram@...

May 1, 2007
9:54 am

Bram Moolenaar wrote: [...] ... [...] Are you sure? In a terminal logged-in as root, using vim 7.0.235: vim -u NONE -N ... modeline modelines=5 Modelines...

A.J.Mechelynck
antoine.mechelynck@...

May 1, 2007
10:34 am

... Sorry, my mistake. There is a recommendation that when working as root you switch 'modeline' off, but it's not done automatically. I do think that it's a...

Bram Moolenaar
Bram@...

May 1, 2007
11:30 am

... I am not claiming that sanity-checking a modeline before execution would make it 100% safe. But there have been many examples in other software where minor...

John Beckett
winterwaffle@...

May 1, 2007
2:02 pm

On Tue, 1 May 2007 19:42:02 +1000, "John Beckett" ... What constitutes a "reasonable length"? Vim has to load the entire document including its modeline into...

Matthew Winn
vim@...

May 3, 2007
9:28 am

... We've probably slugged this out enough, but I'm glad to have another opportunity to promote the "safe modelines" message. Bram has made the point that...

John Beckett
winterwaffle@...

May 4, 2007
4:23 am

On Fri, 4 May 2007 14:20:22 +1000 ... Most previous exploits have been exploitable with far below the line length that is reasonably used by sensible people. ...

Ciaran McCreesh
ciaranm@...

May 4, 2007
2:38 pm

... I actually agree that it is extremely unlikely that a length check would make modelines more secure, but I'm being argumentative because it's irritating to...

John Beckett
winterwaffle@...

May 5, 2007
2:27 am

Yahoo! Groups

Group Information

Yahoo! Groups Tips

Did you know...

Messages